Documentation
¶
Index ¶
- Variables
- type CertificateSigningRequest
- func (*CertificateSigningRequest) Descriptor() ([]byte, []int)deprecated
- func (x *CertificateSigningRequest) GetMetadata() *v1.ObjectMeta
- func (x *CertificateSigningRequest) GetSpec() *CertificateSigningRequestSpec
- func (x *CertificateSigningRequest) GetStatus() *CertificateSigningRequestStatus
- func (*CertificateSigningRequest) ProtoMessage()
- func (x *CertificateSigningRequest) ProtoReflect() protoreflect.Message
- func (x *CertificateSigningRequest) Reset()
- func (x *CertificateSigningRequest) String() string
- type CertificateSigningRequestCondition
- func (*CertificateSigningRequestCondition) Descriptor() ([]byte, []int)deprecated
- func (x *CertificateSigningRequestCondition) GetLastTransitionTime() *v1.Time
- func (x *CertificateSigningRequestCondition) GetLastUpdateTime() *v1.Time
- func (x *CertificateSigningRequestCondition) GetMessage() string
- func (x *CertificateSigningRequestCondition) GetReason() string
- func (x *CertificateSigningRequestCondition) GetStatus() string
- func (x *CertificateSigningRequestCondition) GetType() string
- func (*CertificateSigningRequestCondition) ProtoMessage()
- func (x *CertificateSigningRequestCondition) ProtoReflect() protoreflect.Message
- func (x *CertificateSigningRequestCondition) Reset()
- func (x *CertificateSigningRequestCondition) String() string
- type CertificateSigningRequestList
- func (*CertificateSigningRequestList) Descriptor() ([]byte, []int)deprecated
- func (x *CertificateSigningRequestList) GetItems() []*CertificateSigningRequest
- func (x *CertificateSigningRequestList) GetMetadata() *v1.ListMeta
- func (*CertificateSigningRequestList) ProtoMessage()
- func (x *CertificateSigningRequestList) ProtoReflect() protoreflect.Message
- func (x *CertificateSigningRequestList) Reset()
- func (x *CertificateSigningRequestList) String() string
- type CertificateSigningRequestSpec
- func (*CertificateSigningRequestSpec) Descriptor() ([]byte, []int)deprecated
- func (x *CertificateSigningRequestSpec) GetExtra() map[string]*ExtraValue
- func (x *CertificateSigningRequestSpec) GetGroups() []string
- func (x *CertificateSigningRequestSpec) GetRequest() []byte
- func (x *CertificateSigningRequestSpec) GetSignerName() string
- func (x *CertificateSigningRequestSpec) GetUid() string
- func (x *CertificateSigningRequestSpec) GetUsages() []string
- func (x *CertificateSigningRequestSpec) GetUsername() string
- func (*CertificateSigningRequestSpec) ProtoMessage()
- func (x *CertificateSigningRequestSpec) ProtoReflect() protoreflect.Message
- func (x *CertificateSigningRequestSpec) Reset()
- func (x *CertificateSigningRequestSpec) String() string
- type CertificateSigningRequestStatus
- func (*CertificateSigningRequestStatus) Descriptor() ([]byte, []int)deprecated
- func (x *CertificateSigningRequestStatus) GetCertificate() []byte
- func (x *CertificateSigningRequestStatus) GetConditions() []*CertificateSigningRequestCondition
- func (*CertificateSigningRequestStatus) ProtoMessage()
- func (x *CertificateSigningRequestStatus) ProtoReflect() protoreflect.Message
- func (x *CertificateSigningRequestStatus) Reset()
- func (x *CertificateSigningRequestStatus) String() string
- type ExtraValue
Constants ¶
This section is empty.
Variables ¶
View Source
var File_k8s_io_api_certificates_v1_generated_proto protoreflect.FileDescriptor
Functions ¶
This section is empty.
Types ¶
type CertificateSigningRequest ¶
type CertificateSigningRequest struct {
// +optional
Metadata *v1.ObjectMeta `protobuf:"bytes,1,opt,name=metadata" json:"metadata,omitempty"`
// spec contains the certificate request, and is immutable after creation.
// Only the request, signerName, and usages fields can be set on creation.
// Other fields are derived by Kubernetes and cannot be modified by users.
Spec *CertificateSigningRequestSpec `protobuf:"bytes,2,opt,name=spec" json:"spec,omitempty"`
// status contains information about whether the request is approved or denied,
// and the certificate issued by the signer, or the failure condition indicating signer failure.
// +optional
Status *CertificateSigningRequestStatus `protobuf:"bytes,3,opt,name=status" json:"status,omitempty"`
// contains filtered or unexported fields
}
CertificateSigningRequest objects provide a mechanism to obtain x509 certificates by submitting a certificate signing request, and having it asynchronously approved and issued.
Kubelets use this API to obtain:
- client certificates to authenticate to kube-apiserver (with the "kubernetes.io/kube-apiserver-client-kubelet" signerName).
- serving certificates for TLS endpoints kube-apiserver can connect to securely (with the "kubernetes.io/kubelet-serving" signerName).
This API can be used to request client certificates to authenticate to kube-apiserver (with the "kubernetes.io/kube-apiserver-client" signerName), or to obtain certificates from custom non-Kubernetes signers.
func (*CertificateSigningRequest) Descriptor
deprecated
func (*CertificateSigningRequest) Descriptor() ([]byte, []int)
Deprecated: Use CertificateSigningRequest.ProtoReflect.Descriptor instead.
func (*CertificateSigningRequest) GetMetadata ¶
func (x *CertificateSigningRequest) GetMetadata() *v1.ObjectMeta
func (*CertificateSigningRequest) GetSpec ¶
func (x *CertificateSigningRequest) GetSpec() *CertificateSigningRequestSpec
func (*CertificateSigningRequest) GetStatus ¶
func (x *CertificateSigningRequest) GetStatus() *CertificateSigningRequestStatus
func (*CertificateSigningRequest) ProtoMessage ¶
func (*CertificateSigningRequest) ProtoMessage()
func (*CertificateSigningRequest) ProtoReflect ¶
func (x *CertificateSigningRequest) ProtoReflect() protoreflect.Message
func (*CertificateSigningRequest) Reset ¶
func (x *CertificateSigningRequest) Reset()
func (*CertificateSigningRequest) String ¶
func (x *CertificateSigningRequest) String() string
type CertificateSigningRequestCondition ¶
type CertificateSigningRequestCondition struct {
// type of the condition. Known conditions are "Approved", "Denied", and "Failed".
//
// An "Approved" condition is added via the /approval subresource,
// indicating the request was approved and should be issued by the signer.
//
// A "Denied" condition is added via the /approval subresource,
// indicating the request was denied and should not be issued by the signer.
//
// A "Failed" condition is added via the /status subresource,
// indicating the signer failed to issue the certificate.
//
// Approved and Denied conditions are mutually exclusive.
// Approved, Denied, and Failed conditions cannot be removed once added.
//
// Only one condition of a given type is allowed.
Type *string `protobuf:"bytes,1,opt,name=type" json:"type,omitempty"`
// status of the condition, one of True, False, Unknown.
// Approved, Denied, and Failed conditions may not be "False" or "Unknown".
Status *string `protobuf:"bytes,6,opt,name=status" json:"status,omitempty"`
// reason indicates a brief reason for the request state
// +optional
Reason *string `protobuf:"bytes,2,opt,name=reason" json:"reason,omitempty"`
// message contains a human readable message with details about the request state
// +optional
Message *string `protobuf:"bytes,3,opt,name=message" json:"message,omitempty"`
// lastUpdateTime is the time of the last update to this condition
// +optional
LastUpdateTime *v1.Time `protobuf:"bytes,4,opt,name=lastUpdateTime" json:"lastUpdateTime,omitempty"`
// lastTransitionTime is the time the condition last transitioned from one status to another.
// If unset, when a new condition type is added or an existing condition's status is changed,
// the server defaults this to the current time.
// +optional
LastTransitionTime *v1.Time `protobuf:"bytes,5,opt,name=lastTransitionTime" json:"lastTransitionTime,omitempty"`
// contains filtered or unexported fields
}
CertificateSigningRequestCondition describes a condition of a CertificateSigningRequest object
func (*CertificateSigningRequestCondition) Descriptor
deprecated
func (*CertificateSigningRequestCondition) Descriptor() ([]byte, []int)
Deprecated: Use CertificateSigningRequestCondition.ProtoReflect.Descriptor instead.
func (*CertificateSigningRequestCondition) GetLastTransitionTime ¶
func (x *CertificateSigningRequestCondition) GetLastTransitionTime() *v1.Time
func (*CertificateSigningRequestCondition) GetLastUpdateTime ¶
func (x *CertificateSigningRequestCondition) GetLastUpdateTime() *v1.Time
func (*CertificateSigningRequestCondition) GetMessage ¶
func (x *CertificateSigningRequestCondition) GetMessage() string
func (*CertificateSigningRequestCondition) GetReason ¶
func (x *CertificateSigningRequestCondition) GetReason() string
func (*CertificateSigningRequestCondition) GetStatus ¶
func (x *CertificateSigningRequestCondition) GetStatus() string
func (*CertificateSigningRequestCondition) GetType ¶
func (x *CertificateSigningRequestCondition) GetType() string
func (*CertificateSigningRequestCondition) ProtoMessage ¶
func (*CertificateSigningRequestCondition) ProtoMessage()
func (*CertificateSigningRequestCondition) ProtoReflect ¶
func (x *CertificateSigningRequestCondition) ProtoReflect() protoreflect.Message
func (*CertificateSigningRequestCondition) Reset ¶
func (x *CertificateSigningRequestCondition) Reset()
func (*CertificateSigningRequestCondition) String ¶
func (x *CertificateSigningRequestCondition) String() string
type CertificateSigningRequestList ¶
type CertificateSigningRequestList struct {
// +optional
Metadata *v1.ListMeta `protobuf:"bytes,1,opt,name=metadata" json:"metadata,omitempty"`
// items is a collection of CertificateSigningRequest objects
Items []*CertificateSigningRequest `protobuf:"bytes,2,rep,name=items" json:"items,omitempty"`
// contains filtered or unexported fields
}
CertificateSigningRequestList is a collection of CertificateSigningRequest objects
func (*CertificateSigningRequestList) Descriptor
deprecated
func (*CertificateSigningRequestList) Descriptor() ([]byte, []int)
Deprecated: Use CertificateSigningRequestList.ProtoReflect.Descriptor instead.
func (*CertificateSigningRequestList) GetItems ¶
func (x *CertificateSigningRequestList) GetItems() []*CertificateSigningRequest
func (*CertificateSigningRequestList) GetMetadata ¶
func (x *CertificateSigningRequestList) GetMetadata() *v1.ListMeta
func (*CertificateSigningRequestList) ProtoMessage ¶
func (*CertificateSigningRequestList) ProtoMessage()
func (*CertificateSigningRequestList) ProtoReflect ¶
func (x *CertificateSigningRequestList) ProtoReflect() protoreflect.Message
func (*CertificateSigningRequestList) Reset ¶
func (x *CertificateSigningRequestList) Reset()
func (*CertificateSigningRequestList) String ¶
func (x *CertificateSigningRequestList) String() string
type CertificateSigningRequestSpec ¶
type CertificateSigningRequestSpec struct {
// request contains an x509 certificate signing request encoded in a "CERTIFICATE REQUEST" PEM block.
// When serialized as JSON or YAML, the data is additionally base64-encoded.
// +listType=atomic
Request []byte `protobuf:"bytes,1,opt,name=request" json:"request,omitempty"`
// signerName indicates the requested signer, and is a qualified name.
//
// List/watch requests for CertificateSigningRequests can filter on this field using a "spec.signerName=NAME" fieldSelector.
//
// Well-known Kubernetes signers are:
// 1. "kubernetes.io/kube-apiserver-client": issues client certificates that can be used to authenticate to kube-apiserver.
// Requests for this signer are never auto-approved by kube-controller-manager, can be issued by the "csrsigning" controller in kube-controller-manager.
// 2. "kubernetes.io/kube-apiserver-client-kubelet": issues client certificates that kubelets use to authenticate to kube-apiserver.
// Requests for this signer can be auto-approved by the "csrapproving" controller in kube-controller-manager, and can be issued by the "csrsigning" controller in kube-controller-manager.
// 3. "kubernetes.io/kubelet-serving" issues serving certificates that kubelets use to serve TLS endpoints, which kube-apiserver can connect to securely.
// Requests for this signer are never auto-approved by kube-controller-manager, and can be issued by the "csrsigning" controller in kube-controller-manager.
//
// More details are available at https://k8s.io/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers
//
// Custom signerNames can also be specified. The signer defines:
// 1. Trust distribution: how trust (CA bundles) are distributed.
// 2. Permitted subjects: and behavior when a disallowed subject is requested.
// 3. Required, permitted, or forbidden x509 extensions in the request (including whether subjectAltNames are allowed, which types, restrictions on allowed values) and behavior when a disallowed extension is requested.
// 4. Required, permitted, or forbidden key usages / extended key usages.
// 5. Expiration/certificate lifetime: whether it is fixed by the signer, configurable by the admin.
// 6. Whether or not requests for CA certificates are allowed.
SignerName *string `protobuf:"bytes,7,opt,name=signerName" json:"signerName,omitempty"`
// usages specifies a set of key usages requested in the issued certificate.
//
// Requests for TLS client certificates typically request: "digital signature", "key encipherment", "client auth".
//
// Requests for TLS serving certificates typically request: "key encipherment", "digital signature", "server auth".
//
// Valid values are:
// "signing", "digital signature", "content commitment",
// "key encipherment", "key agreement", "data encipherment",
// "cert sign", "crl sign", "encipher only", "decipher only", "any",
// "server auth", "client auth",
// "code signing", "email protection", "s/mime",
// "ipsec end system", "ipsec tunnel", "ipsec user",
// "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"
// +listType=atomic
Usages []string `protobuf:"bytes,5,rep,name=usages" json:"usages,omitempty"`
// username contains the name of the user that created the CertificateSigningRequest.
// Populated by the API server on creation and immutable.
// +optional
Username *string `protobuf:"bytes,2,opt,name=username" json:"username,omitempty"`
// uid contains the uid of the user that created the CertificateSigningRequest.
// Populated by the API server on creation and immutable.
// +optional
Uid *string `protobuf:"bytes,3,opt,name=uid" json:"uid,omitempty"`
// groups contains group membership of the user that created the CertificateSigningRequest.
// Populated by the API server on creation and immutable.
// +listType=atomic
// +optional
Groups []string `protobuf:"bytes,4,rep,name=groups" json:"groups,omitempty"`
// extra contains extra attributes of the user that created the CertificateSigningRequest.
// Populated by the API server on creation and immutable.
// +optional
Extra map[string]*ExtraValue `` /* 130-byte string literal not displayed */
// contains filtered or unexported fields
}
CertificateSigningRequestSpec contains the certificate request.
func (*CertificateSigningRequestSpec) Descriptor
deprecated
func (*CertificateSigningRequestSpec) Descriptor() ([]byte, []int)
Deprecated: Use CertificateSigningRequestSpec.ProtoReflect.Descriptor instead.
func (*CertificateSigningRequestSpec) GetExtra ¶
func (x *CertificateSigningRequestSpec) GetExtra() map[string]*ExtraValue
func (*CertificateSigningRequestSpec) GetGroups ¶
func (x *CertificateSigningRequestSpec) GetGroups() []string
func (*CertificateSigningRequestSpec) GetRequest ¶
func (x *CertificateSigningRequestSpec) GetRequest() []byte
func (*CertificateSigningRequestSpec) GetSignerName ¶
func (x *CertificateSigningRequestSpec) GetSignerName() string
func (*CertificateSigningRequestSpec) GetUid ¶
func (x *CertificateSigningRequestSpec) GetUid() string
func (*CertificateSigningRequestSpec) GetUsages ¶
func (x *CertificateSigningRequestSpec) GetUsages() []string
func (*CertificateSigningRequestSpec) GetUsername ¶
func (x *CertificateSigningRequestSpec) GetUsername() string
func (*CertificateSigningRequestSpec) ProtoMessage ¶
func (*CertificateSigningRequestSpec) ProtoMessage()
func (*CertificateSigningRequestSpec) ProtoReflect ¶
func (x *CertificateSigningRequestSpec) ProtoReflect() protoreflect.Message
func (*CertificateSigningRequestSpec) Reset ¶
func (x *CertificateSigningRequestSpec) Reset()
func (*CertificateSigningRequestSpec) String ¶
func (x *CertificateSigningRequestSpec) String() string
type CertificateSigningRequestStatus ¶
type CertificateSigningRequestStatus struct {
// conditions applied to the request. Known conditions are "Approved", "Denied", and "Failed".
// +listType=map
// +listMapKey=type
// +optional
Conditions []*CertificateSigningRequestCondition `protobuf:"bytes,1,rep,name=conditions" json:"conditions,omitempty"`
// certificate is populated with an issued certificate by the signer after an Approved condition is present.
// This field is set via the /status subresource. Once populated, this field is immutable.
//
// If the certificate signing request is denied, a condition of type "Denied" is added and this field remains empty.
// If the signer cannot issue the certificate, a condition of type "Failed" is added and this field remains empty.
//
// Validation requirements:
// 1. certificate must contain one or more PEM blocks.
// 2. All PEM blocks must have the "CERTIFICATE" label, contain no headers, and the encoded data
// must be a BER-encoded ASN.1 Certificate structure as described in section 4 of RFC5280.
// 3. Non-PEM content may appear before or after the "CERTIFICATE" PEM blocks and is unvalidated,
// to allow for explanatory text as described in section 5.2 of RFC7468.
//
// If more than one PEM block is present, and the definition of the requested spec.signerName
// does not indicate otherwise, the first block is the issued certificate,
// and subsequent blocks should be treated as intermediate certificates and presented in TLS handshakes.
//
// The certificate is encoded in PEM format.
//
// When serialized as JSON or YAML, the data is additionally base64-encoded, so it consists of:
//
// base64(
// -----BEGIN CERTIFICATE-----
// ...
// -----END CERTIFICATE-----
// )
//
// +listType=atomic
// +optional
Certificate []byte `protobuf:"bytes,2,opt,name=certificate" json:"certificate,omitempty"`
// contains filtered or unexported fields
}
CertificateSigningRequestStatus contains conditions used to indicate approved/denied/failed status of the request, and the issued certificate.
func (*CertificateSigningRequestStatus) Descriptor
deprecated
func (*CertificateSigningRequestStatus) Descriptor() ([]byte, []int)
Deprecated: Use CertificateSigningRequestStatus.ProtoReflect.Descriptor instead.
func (*CertificateSigningRequestStatus) GetCertificate ¶
func (x *CertificateSigningRequestStatus) GetCertificate() []byte
func (*CertificateSigningRequestStatus) GetConditions ¶
func (x *CertificateSigningRequestStatus) GetConditions() []*CertificateSigningRequestCondition
func (*CertificateSigningRequestStatus) ProtoMessage ¶
func (*CertificateSigningRequestStatus) ProtoMessage()
func (*CertificateSigningRequestStatus) ProtoReflect ¶
func (x *CertificateSigningRequestStatus) ProtoReflect() protoreflect.Message
func (*CertificateSigningRequestStatus) Reset ¶
func (x *CertificateSigningRequestStatus) Reset()
func (*CertificateSigningRequestStatus) String ¶
func (x *CertificateSigningRequestStatus) String() string
type ExtraValue ¶
type ExtraValue struct {
Items []string `protobuf:"bytes,1,rep,name=items" json:"items,omitempty"`
// contains filtered or unexported fields
}
ExtraValue masks the value so protobuf can generate +protobuf.nullable=true +protobuf.options.(gogoproto.goproto_stringer)=false
func (*ExtraValue) Descriptor
deprecated
func (*ExtraValue) Descriptor() ([]byte, []int)
Deprecated: Use ExtraValue.ProtoReflect.Descriptor instead.
func (*ExtraValue) GetItems ¶
func (x *ExtraValue) GetItems() []string
func (*ExtraValue) ProtoMessage ¶
func (*ExtraValue) ProtoMessage()
func (*ExtraValue) ProtoReflect ¶
func (x *ExtraValue) ProtoReflect() protoreflect.Message
func (*ExtraValue) Reset ¶
func (x *ExtraValue) Reset()
func (*ExtraValue) String ¶
func (x *ExtraValue) String() string
Source Files
Click to show internal directories.
Click to hide internal directories.